db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Tilsted <til...@daimi.au.dk>
Subject Re: What is the best way to escape input to SqlEnum.CUSTOM?
Date Fri, 07 Mar 2008 18:54:38 GMT
Greg Monroe wrote:
> As long as the Criteria value object is a String, you don't 
> have to worry. The code should be calling the following 
> method: 
>
> SqlExpression.quoteAndEscapeText(String rawText, DB db)
>
> This surrounds the value with the correct quotes and 
> escapes stuff based on the type of DB.
>   
But that can't be work for SqlEnum.CUSTOM because what if the query is 
something like

String customPart="myField like '%" + someText + "%'";
where someText is the user input.

Doing a criteria.add("Table",customPart,SqlEnum.CUSTOM);
If it excape the entire query then the result will be wrong, because it 
will also escape the '  before the %, and that should not be escaped.

Which is why I am pretty sure I need to escape the someText string 
before i use it as part of a query with SqlEnum.CUSTOM.
(I know the query can be made without SqlEnum.CUSTOM it's just an example).
>   
>> -----Original Message-----
>> From: Martin Tilsted [mailto:tiller@daimi.au.dk]
>> Sent: Friday, March 07, 2008 1:01 PM
>> To: Apache Torque Users List
>> Subject: What is the best way to escape input to SqlEnum.CUSTOM?
>>
>> What is the best way to escape a (user input) value that is used as
>> part
>> of a SqlEnum.CUSTOM query?
>>
>> Is there a method that will escape strings based on the requirements
>>     
> of
>   
>> the current open database connection?
>>
>> Martin
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
>> For additional commands, e-mail: torque-user-help@db.apache.org
>>     
>
> DukeCE Privacy Statement:
> Please be advised that this e-mail and any files transmitted with
> it are confidential communication or may otherwise be privileged or
> confidential and are intended solely for the individual or entity
> to whom they are addressed. If you are not the intended recipient
> you may not rely on the contents of this email or any attachments,
> and we ask that you please not read, copy or retransmit this
> communication, but reply to the sender and destroy the email, its
> contents, and all copies thereof immediately. Any unauthorized
> dissemination, distribution or copying of this communication is
> strictly prohibited.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>
>   


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message